Splunk Enterprise Security Reviews

Our primary use case is for security audit log collection correlation. We wanted something that the security team could focus on versus going directly into our enterprise. We had some initial use cases to supplement our IT ops security into one product. We had a SIEM but not one that was as customizable as Splunk Enterprise Security.

The out-of-the-box capabilities that Enterprise Security offers were very helpful. We're not using it anymore because it was almost overkill. We have shifted to go back to just the core functionality. We were inundated with the amount of alerts and alarms that we could get out of it. It is also a resource hog and we didn't have the resources to support it on-prem so we're taking it offline now.

We saw the granularity that we could get from Splunk far exceeded what we already had. We had the ability to have our security team really focus on the platform and stay within the platform, but they could correlate with a variety of other stakeholders, and our stakeholders were growing. So we tried to get ahead of that and filter it in to create customizable KPIs for those user groups versus having a one-size-fits-all approach. That unique was very helpful for us to expand upon. The driving force is resources, and we were lacking those.

We use it to monitor multiple clouds. We weren't leveraging it for all of our clouds, but we have a presence in GCP, AWS, and Azure. The unity and uniformity across all of it would have been great but at that stage, we were only using it for on-prem coverage. We would like to go ahead and understand how we can implement it as a cloud solution as we are increasing our daily footprint too. We weren't really prepared to understand the workflows we already had in the CSPs or the new integrations of data lakes at a warehouse that were and are still being built out to get Enterprise Security to function off of that too. We hadn't gotten to that stage.

A lot of what we were doing was done manually in terms of vulnerability and remediation and is still being done manually now. Evolving to a stage where the alerts weren't inundating our customers and getting familiar with the product would have helped us perhaps get a bit more functionality and usability out of it. We are seeing some value out of Enterprise Security and think we can get similar results elsewhere. I think that down the road, as our understanding gets better of how we want framework requirements, Enterprise Security could come back into the picture.

I have been using Splunk Enterprise Security for around twelve months.

Stability had its drawbacks because of how much it consumes. We had to justify whether or not it was worth keeping it up. The decision was to not keep up with it.

We are only on-prem so we do manual scaling. We don't have the elasticity that we would have in the cloud which limited us. Justifiably, in order to scale up the platform, we would have to go through procurements and more hardware, which was not an option. So we were limited, and we knew that. We had done pilots and buildout but a hardware refresh cycle was coming up, we had to justify whether or not it was in the cards.

I've been working with Splunk for several years now, and I've always found them very responsive and supportive in a variety of technologies around core functionality like Enterprise Security and ITSI. 

I would rate them an eight out of ten. They have a strong team through and through from the pre-presales all the way through architectural changes and shifts that we need to do to address the customer.

Positive

We've had numerous implementations of SIEM solutions over the years. Splunk offered a lot of capabilities on top of some of our old antiquated Sentinel and Azure. We had many other products before we pursued Enterprise Security. But we weren't in a position to really go down the Enterprise Security route because we hadn't quite fleshed out what our end goal was.

We're still in the evaluation stages. Looking at Enterprise Security, given the fact that we already have an investment in Splunk, it makes sense. We would like to see it grow beyond just Enterprise Security to more of not just observability, but pro actions to utilize the source of that nature. 

We had great success potentially going into a SOAR from Enterprise Security. We hadn't quite evolved to that point yet. At this stage, it's just not really in our pipeline to pursue Enterprise Security until we get a better understanding of our requirements.

Refining those playbooks and so forth also is going to take time. We have customers who have categorically unique requirements. From a security standpoint, one group's security requirements are going to be different from some of the other teams that we have. We are trying to find that uniformity across the board. We may have to entertain multiple security solutions to meet their needs.

My role was to support a lot of the backend and the configuration of the platform as it was being established.

The level of difficulty was on par with the Splunk Enterprise core. My team was involved with a lot of the provisioning from the virtual environment and on-prem to support it. It wasn't overly complicated. Once it was up it took a lot of resources. Evaluating and seeing whether or not we could actually move it to the cloud when the core functionality still existed on-prem, we weren't willing to split them at this stage.

We would almost always have Splunk support through the deployment and configuration stages of it. It was always solid. Once we had the platform up and running, we had to consider general operations and maintenance. While the Splunk team was great and the resources are available, there is a finite amount of resources on-site.

Splunk is not cheap. That's definitely a consideration as we look at other products.

We haven't seen much time to value using the solution system but it wasn't necessarily a fault of the product. It was the cycles to maintain it and support it, to make sure it's growing correctly. We hadn't gotten to that stage. Our ROI and TCO, given the fact that its footprint is being looked at because of what it takes to maintain it in terms of resources. We have the core platform, and then we have a growing license. We're looking at how we can efficiently use Enterprise Security. It's just not there at this point.

I would rate Splunk Enterprise Security an eight out of ten. I think the rating has the potential to be higher. If we had time to flesh it out and vet some of the core capabilities of Enterprise Security and how it could benefit us over the core. Getting to that stage requires a lot more customer engagement on our side that we weren't really prepared to do because of budgetary constraints, hardware refresh cycles, and so forth. Overall, we dropped the product not necessarily because of a lack of capability, it was more along the lines that the timing wasn't appropriate for our security teams.

The biggest value I get from attending a Splunk conference is knowledge transfer. I work in the public so it's valuable having a lot of conversations with fellow colleagues who are in the public sector and hearing their hurdles. We don't want to reinvent the wheel every time, and we don't want to hit obstacles that could have been lessons learned. The conference is a really good opportunity to see what's new, what's out there, and how it can blend in with our current architecture and designs. It also helps to understand what's not going to work to be able to get ahead of it before questions come up. We can properly equip our customers and answer their questions. The Splunk conference is a good brain dump.

We are using it for information assurance, system alerting, and compliance. We are using its latest version.

It integrates into our VMware environment and provides infrastructure alerting and monitoring.

The ability to ingest different log types from many different products in our environment is most valuable.

It seems to have everything in terms of features. Every time I think of something, I go out to their site, and I can pretty much find it.

The biggest problem is data compression. Splunk is an outstanding product, but it is a resource hog. There should be better data compression for being able to maintain our data repositories. We end up having to buy lots of additional storage just to house our Splunk data. This is my only complaint about it.

I have been using this solution for about five years.

It is excellent in terms of performance and reliability.

Its scalability is excellent. Its users are mostly on the backside. I know there are a lot of opportunities to allow developers and engineers to access Splunk for doing different things, but we use it purely for information assurance and system monitoring. So, our engineers and IA professionals are the only ones who access Splunk. We have a couple of them, but it supports thousands of users.

We started with Splunk Light, and now, we're using Splunk Enterprise across most of our projects. It is being used extensively. It is our primary SIEM product. I'm sure its usage will increase, but that's managed at a much higher level. The company has an agreement with Splunk on how our licensing model is established.

Their support is great. I've talked to them many times.

We used InTrust. We switched to Splunk because of its flexibility and capability.

Its initial configuration is pretty straightforward. Their repository for information and help is really good, which makes it pretty straightforward. You can just go out to their site and do a search for any question. Usually, someone else would have experienced the same issue.

It took us hours. We obviously expanded it as we were building the environment because we did it from scratch, but it only took hours to get it up and running and configured to do ingestion. We then deployed more forwarders and tweaked it as we went along.

It was implemented in-house. Its maintenance is pretty lightweight, and I take care of it. I have a couple of other team members to help make changes. We have engineers who are available for adding capacity. We have a team of six or seven people to support our Splunk Enterprise.

It is expensive. I used to buy it early on, but then they combined it into a higher-up organization. They buy it for multiple systems now. Last time, I paid around 60K for it.

There is just the licensing fee. That's all.

I would advise making sure that you incorporate enough storage and processing in order to properly support the environment.

I would rate it an eight out of 10. It is definitely the best tool I've ever used, but nothing is perfect. They could do a little bit better on data compression and system resource management, but outside of that, it is an excellent product.

We primarily use the solution for monitoring our infrastructure.

The models that we use are pretty mature at this point, which means we can be assured we are given the best use cases right out of the box.

We can just plug into the applications and everything is set up. There's very little configuration necessary.

The integrations that are offered with different tools are all very good. They offer integrations for all levels of security and have offerings from some of the other major solutions in the space.

The initial setup is pretty straightforward.

Over the years, I know they've been doing what they can to continue to add integration capabilities to their solution. If they continue to do that, that would be ideal. However, beyond that, there really aren't any features that I find to be lacking in any part of the solution.

On-premises scaling of the solution is a bit more limited than it is on the cloud.

The pricing of the solution needs to be a bit lower.

It would be ideal if the hardware could meet more universal global regulatory requirements. It would be great it the solution better aligned with global standards.

I've been working with the solution for three to four years at this point.

In terms of the cloud, scalability is very straightforward. It's just about as expansive as we want to go. When it comes to an on-premise deployment, there might be some scalability limitations. We've found we just have to cut hard on the resources as it does a lot of processing. Whereas the cloud is easy and has very little limitation, I'd advise others that on-premise may have some difficulties. 

On-premises, it's definitely on the customer to ensure they have the right plates. If they're concerned and they need 100% scalability, it's best to be on the cloud.

Technical support is very good. They know their product and they are responsive to requests. We're satisfied with the level of service provided to us.

We didn't have any issues with the initial setup. It's not too complex. We found the process to be very straightforward and very simple.

While I do understand that it is a premium tool, they could work to make it a bit less in terms of cost. It's a bit expensive.

We use a mixture of public and private cloud deployments.

I would definitely recommend the solution, having seen it work for others so well. Its ease of usage and its man integrations make it a great product. The way you can access whatever you need on the solution is very similar to a Google bar where you can search for anything you need. It's just a super quick responsive, product.

Overall, I would rate it a perfect ten out of ten. We have no complaints.

I work in the HIPAA industry. I work at a healthcare company in Puerto Rico. HIPAA requires us to go over security risks. Our use case right now is to be compliant.

In our hierarchy, we have 1000 servers and 16,000 endpoints. We also have 100 entry points and 3000 VPN connections. It's huge.

Manually, it used to take us a whole day to do strong monitoring. Now, it takes a maximum of two hours because of this product.

It creates a single pane of glass. Plus, it gives us the liberty to do more in terms of use cases, especially since HIPAA wants use cases. We must monitor them. Therefore, we can also add our own correlations for all our use cases.

The dashboard centralizes the daily routine. We used to do this by hand. Now, we go through daily checklists, using the dashboard and setting up the alarms. It helps us to cut down the time on this routine. 

I am a cybersecurity director. I manage five different business lines. Every morning, we used to have to go to different tools to get our daily routines done. With Splunk, centralized as it is, we can see everything in one place. We use it not only for monitoring events, but in case we need to do a group call. We can see what's going on, viewing all of the offenses and security events which are happening in our infrastructure.

The Web Application Firewall will send you too much information because it's more dedicated to security than a normal firewall.

It was pretty straightforward. I even did a couple of logs myself. 

We implement through a vendor.

We were using QRadar as a POC. We were using for real at our cloud but also it was a POC for us because we were watching the product. But, QRadar needs a lot of fine tuning.

Generally, we leverage it to correlate all of our threat intelligence data with all of our log events to make researching them simpler.

Splunk Enterprise Security gives us a lot more visibility into the entire enterprise and makes our analysis simpler. It streamlines the process and makes it easier to handle it.

It is very important for us that Splunk Enterprise Security provides end-to-end visibility into our environment. It saves us all the time where we used to have to go from tool to tool to tool to track down issues. Splunk Enterprise Security has tenfold reduced the amount of time it takes to investigate any one thing.

Splunk Enterprise Security simplifies being able to pivot from one data point to everything else, and it does not matter where in the pipeline that occurred because you can see it all.

It has helped improve our organization’s ability to ingest and normalize data. It has been very impressive how it is able to handle all of that for visibility and tracking things down.

Splunk Enterprise Security has not yet helped to reduce our alert volume. Our alert volume has increased at this point because we are still getting used to it, but I see how it can reduce the alert volume.

It provides us with the relevant context to help guide our investigations. The biggest part of it is that when we go through the alerts and the notable events, we are able to pivot to information from data sources that are not necessarily in Splunk, and we are able to run the automated response actions.

Splunk Enterprise Security has helped reduce our mean time to resolve. I do not have the metrics, but it is a decent amount.

Every process has been streamlined. Things for which you have to bounce between multiple tools can be done in one place, which in its nature speeds everything up and reduces the manpower.

Correlation search, in general, is valuable because it allows us to search multiple data sources easily.

The main issue that I have with it is that the field transformations sometimes overlap with those in Splunk Enterprise, and then you get permissions issues that lead to troubles.

I do not have any additional features that can be included. From what I gather, Mission Control is already included in the next release, as is a lot of the Cisco threat data.

I have been using Splunk Enterprise Security for about five and a half years.

It is quite good.

I have not experienced any issues with the scalability, but I do not handle the scaling, so I cannot speak to that.

I do not have to deal with them, so I do not have any information. Our administrators handle that side of things.

I did not. We acquired Splunk around about the same time I joined the cybersecurity team. 

I do not handle the administrative part. I am more of a user.

In terms of the deployment model, I believe it is technically a hybrid deployment. I am not involved in the architecture, but I know we are not exclusively cloud and we are not exclusively on-prem. We use AWS.

I know we had Splunk Professional Services for the deployment, but I was not involved.

I do not know what the cost is, but I would imagine we have seen an ROI because we are able to run our security team with fewer people than previously.

I do not know what we evaluated because I came to the company at the same time we got Splunk.

I would rate Splunk Enterprise Security an eight out of ten. It is an amazing tool that provides so much visibility and streamlines so much. The main issues I have encountered with Splunk are the difficulties in configuration and keeping everything up to date as the data sources change.

We're using the solution for log analysis and our internal infrastructure. We may use it for customer offering at some point, but currently, it's completely internal.

The solution's most valuable features are the granularity and analysis of the logs. Once you learn the syntax, it's a great tool. These features are important to us because they enable us to drill down to certain users doing certain things and perform trend analysis.

I have been using Splunk Enterprise Security for well over a year.

We’ve had no issues with the solution’s stability.

We have 90,000 users and deal with massive amounts of data volume.

The solution’s technical support is fantastic.

Positive

We were using IBM's TSM backup tool and our own internal tool. We switched to Splunk Enterprise Security because we wanted to be more of a cloud-forward company and didn't want to host everything on-premises.

We installed the solution mostly by ourselves, but we did have a little help. We installed heavy forwarders at a relatively low cost. Since we already had a VMware environment, we just set up the VMs for the forwarding.

We have seen a return on investment with the tool in terms of seeing what users are doing.

Splunk Enterprise Security incurs a significant cost because of the amount of data we send, but we are fine with the value we're getting for that price.

The tool provides much more insight into what users and our apps do. We also use the solution to monitor a lot of machine-to-machine traffic.

We have a hybrid environment. All of our internal tooling is in our internal data centers, but we also have a big cloud presence for some of our other tooling and mostly for our customers. Speaking from the internal side, Splunk Enterprise Security has been fantastic in helping us find all kinds of security events every day.

Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data. The solution has helped us have everything in one place and grab everything at once. The tool has also helped us solve problems in real time. The Ops team will approach us when they are stuck with a problem ticket. We can look instantly, see what's happening, and track it down.

The solution provides us with the relevant context to help guide our investigations. This context information makes things easier and faster for us. We get more information about exactly what's going on.

Splunk Enterprise Security has helped us save around 50% of our time.

Splunk Enterprise Security has helped reduce our mean time to resolve by 50%.

Overall, I rate the solution ten out of ten.

We will have clients that generate events through our platform and wish to export those events as data points to Splunk.

The solution improves our customers' integrations. They really want insights into what their users are doing. They want to be alerted to anomalies, general pain points, or popular areas in the integration to understand what's working and what's not.

The metrics and trends that Splunk Enterprise Security generates using all the data points we send allow customers to understand better what their users are doing.

Splunk Enterprise Security should provide a better and richer integration. It has a regimented integration, where we had to build a Python library. It was a very tough way to integrate officially and get into the marketplace. We'd like to see more options so that we can better send data over to the Splunk platform.

The requirements of building the integration had to be a very specific and certain way to get onto your marketplace. Once it's there, it's fine, but it took a little effort to get it exactly that way. That's not as maintainable as we like, so we'd rather that be a more robust integration.

We've had an integration available for the better part of three or four years.

The solution provides good stability.

We haven’t seen any issues with the solution’s scalability.

We mostly interacted with the marketplace community. Although our support experience was not great, the issue was straightforward.

Our customers have seen a return on investment with the solution. We have seen customer satisfaction as it was a highly sought-after integration, and they're happy now that it exists.

The end-to-end visibility that the solution provides into our environment is incredibly important to our organization. We like to see it as the total answer. Any data point can be picked up, and you can really build anything you need from the integration. It's incredibly valuable with the data that it's generating. What the tool provides once integrated is highly valuable and sufficient for us.

Finding any security event across multi-cloud, on-premises, or hybrid environments with Splunk Enterprise Security has been incredibly easy. Using the rest of the Splunk platform, you can trigger whatever you need off the data coming in through the integration.

The solution has helped improve our organization's ability to ingest and normalize data. It also generates more customer activities so that there's a stickier relationship.

The Splunk integration triggers the necessary events so that downstream alerting isn't necessary.

Splunk Enterprise Security has helped speed up our security investigations. It's a great direct integration so that our customers can react quickly when necessary.

In principle, the solution has helped reduce our mean time to resolve, but not necessarily data points that we see as the integrator.

Overall, I rate the solution an eight out of ten.

I have worked in a couple of areas of Splunk. Initially, I was part of a monitoring team that used it for security information. I used to monitor security alerts which we used to get on Splunk, which was based on the use cases and we set up specific rules for it. Currently, I am part of the administration of Splunk. Now I onboard different log sources to Splunk. We pass over the logs so that it can be used for the security team.

It helps with security and making sure our infrastructure is compliant. It also allows reporting to be in one centralized location. We can monitor the security logs effectively. It really helps as a cybersecurity element for the company infrastructure to protect us from attacks.

It is quite reliable in terms of data. We have a good amount of licenses currently and find it to be very flexible. It can handle and pull up any amount of data.

Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand. 

We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.

Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.

It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.

Splunk Enterprise Security provides visibility into different environments.

The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure. 

The actionable intelligence provided in Splunk Enterprise Security is good. 

It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it. 

I have used the threat topology and attack framework feature, however, now I am more of an administrator.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.

The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.

The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions. 

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

I've been using the solution for three years now. 

It is a stable product.

There are two types of users: the administrators and then the users where the logs are coming from. We have about ten to 15 administrators working directly with Splunk. Overall, there may be more than 1,000 end users we get logs from.

The solution is scalable. In terms of data, it's very flexible. 

Technical support is good.

Positive

I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.

The initial setup was easy. It was not complex. I didn't do the implementation on my own. The deployment times vary. There are many moving parts, such as approvals that need to be taken into consideration. 

We get logs from various sources from various clients.

It does require a bit of maintenance. It requires, for example, server upgrades and patching. 

I can't comment on pricing. I don't take care of that aspect. 

I'm a customer and end-user.

I'd recommend the solution to others and invite them to test the service first on the infrastructure they have. It's a very valuable product to have.

I'd rate the solution nine out of ten.